Use After Free Affecting kernel-azure package, versions <6.4.0-150600.8.11.1


Severity

Recommended
medium

Based on SUSE Linux Enterprise Server security rating.

Threat Intelligence

EPSS
0.01% (3rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Use After Free vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-SLES156-KERNELAZURE-7928882
  • published11 Sept 2024
  • disclosed10 Sept 2024

Introduced: 10 Sep 2024

CVE-2024-41051  (opens in a new tab)
CWE-416  (opens in a new tab)

How to fix?

Upgrade SLES:15.6 kernel-azure to version 6.4.0-150600.8.11.1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream kernel-azure package and not the kernel-azure package as distributed by SLES. See How to fix? for SLES:15.6 relevant fixed versions and status.

In the Linux kernel, the following vulnerability has been resolved:

cachefiles: wait for ondemand_object_worker to finish when dropping object

When queuing ondemand_object_worker() to re-open the object, cachefiles_object is not pinned. The cachefiles_object may be freed when the pending read request is completed intentionally and the related erofs is umounted. If ondemand_object_worker() runs after the object is freed, it will incur use-after-free problem as shown below.

process A processs B process C process D

cachefiles_ondemand_send_req() // send a read req X // wait for its completion

       // close ondemand fd
       cachefiles_ondemand_fd_release()
       // set object as CLOSE

               cachefiles_ondemand_daemon_read()
               // set object as REOPENING
               queue_work(fscache_wq, &amp;amp;info-&amp;gt;ondemand_work)

                        // close /dev/cachefiles
                        cachefiles_daemon_release
                        cachefiles_flush_reqs
                        complete(&amp;amp;req-&amp;gt;done)

// read req X is completed // umount the erofs fs cachefiles_put_object() // object will be freed cachefiles_ondemand_deinit_obj_info() kmem_cache_free(object) // both info and object are freed ondemand_object_worker()

When dropping an object, it is no longer necessary to reopen the object, so use cancel_work_sync() to cancel or wait for ondemand_object_worker() to finish.

CVSS Base Scores

version 3.1